Computer security systems often include a multitude of signatures designed to detect malware attacks. Unfortunately, these signatures may have varying degrees of accuracy. For example, a signature may accurately identify a malware attack but also misdiagnose a wholly innocuous event. Accordingly, this signature may have less than perfect accuracy.
In an effort to account for signatures' varying degrees of accuracy, computer security systems may rely on confidence scores assigned to the signatures. For example, a computer security analyst may manually determine a confidence score of 100% for a signature included in a Security Information and Event Management (SIEM) system. In this example, the 100% confidence score may indicate that the signature is known to accurately identify events that trigger the signature 100% of the time. In other words, while the signature may be unable to detect each and every malware attack, the signature may be able to successfully detect certain malware attacks without any chance of false positives. The SIEM system may subsequently rely on this 100% confidence score in assessing whether an event that triggers the signature actually amounts to a malware attack.
Unfortunately, certain signatures may remain scoreless until undergoing a potentially lengthy verification process. As a result, conventional security systems may be unable and/or reluctant to rely on these unverified signatures, thereby deriving little (if any) value from such signatures. The instant disclosure, therefore, identifies and addresses a need for systems and methods for estimating confidence scores of unverified signatures.